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0 Key distribution method. 



® The invention relates to a method of distributing 
a l<ey for enciphering un unenciphered or plaintext 
message and for deciphering the enciphered mes- 
sage. 

The method comprises the following steps: 
generating a first random number in a first system 
(101): generating first key distribution information in 
the first system (101) by applying a predetermined 
first transformation to the first random number on the 
basis of first secret information Icnown only by the 
first system (101); transmitting the first key distribu- 
tion information to a second system (102) via a 
communication channel (103); receiving the first key 
distribution information in the second system (102); 
generating a second random number in the second 
system (102); generating second key distribution In- 
formation by applying the predetermined first trans- 
^ formation to the second random number on tiie 
^ basis of second secret infonmation known only by 
Ifjthe second system (102); transmitting the second 
JO key distribution information to the first system (101) 
lAvia the channel (103); receiving tiie second key 
1^ distribution Information in the first system (101); and 
m generating an enciphering key in tiie first system 
^(101) by applying a predetermined second trans- 
Q formation to the second key distribution information 
on the basis of the first random number and iden- 
^tification information of tiie second system (102) 
which is not secret 
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KEY DISTRIBUTION METHOD 



BACKGROUND OF THE INVENTION 

The invention relates to a method of distribut- 
ing a key for enciphering an unenclphered or plain- 5 
text message and for deciphering the enciphered 
message. 

A public Icey distribution method used in a 
public key cryptosystem as a well-known key dis- 
tribution method is disclosed in a paper entitled 10 
"New Directions in Cryptography" by W. Diffie and 
M.E. Hellman, published In the IEEE Transactions 
on Information Theory. Vol. IT-22, No. 6. pp. 644 to 
654. November issue. 1976. The key distribution 
method disclosed in the paper memorizes public is 
infomnation for each of conversers. In the system, 
before a converser A sends an enciphered mes- 
sage to a converser B, the converser A prepares 
an enciphering key (which represents a number 
obtained by calculating Yb (mod £ )) gen- 20 
erated from public Information Yb of the converser 
B and secret information which is kept secret 
by the converser A. The number £ is a large prime 
number of about 256 bits in binary representation, 
which is publicly known, a (mod b) means a 25 
remainder of division of the number a by the num- 
ber b. The converser B also prepares" the key wk In 
accordance to Ya^b (nnod £) in a similar man- 
ner. Ya and Yb are selected so as to be equal to 
a^A (mod 2) and (mod £), respec- 30 

tively. As a result. Yb (mod £ ) becomes 
equal to Ya^6 (mod £). It is known that even if 
Ya, a and £ are known, it is infeasible for anybody 
except the converser A to obtain Xa which satisfies 
Ya = a'^A (mod £). 35 

The prior art key distribution system of the 
type described, however, has disadvantages in that 
since the system needs a large amount of public 
information corresponding to respective convers- 
ers. the amount of the public information Increases 40 
as the number of conversers increases. Further, 
strict control of such information becomes neces- 
sary to prevent the information from being tam- 
pered. 



SUMMARY OF THE INVENTION 

An object of the invention is, therefore, to pro- 
vide a key distribution method free from the above- so 
mentioned disadvantages of the prior art system. 

According to an aspect of the invention, there 
is provided a method which comprises the follow- 
ing steps: generating a first random number in a 
first system; generating first key distribution in- 



fonnnation in the first system by applying a pre- 
detennined first transformation to the first random 
number on the basis of first secret information 
known only by the first system; transmitting the 
first key distribution information to a second sys- 
tem via a communication channel; receiving the 
first key distribution information in the second sys- 
tem; generating a second random number in the 
second system; generating second key distribution 
information by applying the predetermined first 
transformation to the second random number on 
the basis of second secret infonmation known only 
by the second system; transmitting the second key 
distribution information to the first system via the 
channel; receiving the second key distribution in- 
fonmation in the first system; and generating an 
enciphering key in the first system by applying a 
predetermined second transformation to the sec- 
ond key distribution Information on the basis of the 
first random number and identification Information 
of the second system which i& not secret 

According to anotiier aspect of the invention, 
there is provided a method which comprises the 
following steps: generating a first random number 
in the first system; generating first key distribution 
Information by applying a predetermined first trans- 
formation to tiie first random number on the basis 
of public information in the first system and gen- 
erating first identification information by applying a 
predetermined second transformation to the first 
random number on the basis of first secret informa- 
tion known only by the first system;* transmitting 
the first key distribution information and the first 
identification information to a second system via a 
communication channel; receiving the first key dis- 
tribution information and the first Identification In- 
formation in the second system; examining whether 
or not the result obtained by applying a predeter- 
mined tiiird transformation to the first key distribu- 
tion information on tiie basis of the first identifica- 
tion information satisfies a first predetermined con- 
dition, and, if it does not satisfy, suspending key 
distribution processing; generating a second ran- 
dom number if said condition is satisfied in tiie 
preceding step; generating second key distribution 
information by applying the predetermined first 
transfomnation to the second random number on 
the basis of tiie public information, and generating 
second identification information by applying the 
predetennined second transformation to tiie sec- 
ond random number on tiie basis of second secret 
infomnation known only by the second system; 
transmitting tiie second key distribution infonmation 
and the second identification information to the first 
system via the communication channel; and exam- 
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ining whether or not the result obtained by applying 
a third predetermined transformation to the second 
key distribution information on the basis of the 
second identification infonnation in the first system 
satisfies a predetermined second condition, and if 
the result does not satisfy the second condition, 
suspending the key distribution processing, or rf it 
satisfies the second condition, generating an enci- 
phering key by applying a fourth predetermined 
transformation to the first random number on the 
basis of the second key distribution Information. 



BRIEF DESCRIPTION OF THE DRAWINGS 

Other features and advantages of the invention 
will become more apparent from the foliowing de- 
tailed description when taken In conjunction witii 
tiie accompanying drawings in which: 

RG. 1 is a block diagram of a first embodi- 
ment of tfie invention; 

RG. 2 is a block diagram of a second em- 
bodiment of tiie invention; and 

RG. 3 is a block diagram of an example of 
systems 101. 102. 201 and 202. 

In tiie drawings, tiie same reference numerals 
represent the same structural elements. 



PREFERRED EMBODIMENTS 

Refening now to RG. 1, a first embodiment of 
tiie invention comprises a first system 101. a sec- 
ond system 102 and an insecure communication 
channel 103 such as a telephone line which ti-ans- 
mlts communication signals between tiie systems 
101 and 102. It Is assumed herein tiiat tiie systems 
101 and 102 are used by users or conversers A 
and B. respectively. The user A has or knows a 
secret integer number Sa and public integer num- 
bers e, c, a and n which are not necessarily secret 
while ttie user b" has or knows a secret integer 
number Seand \he public integer numbers. These 
integer numbers are designated and distributed In 
advance by a reliable person or organization. The 
metiiod to designate the integer numbers will be 
described later. 

An operation of tiie embodiment will next be 
described on a case in which the user A starts 
communication. The system 101 of tiie user A 
generates a random number ^ (Step A1 In FIG. 1) 
and sends a first key distribution code X a repre- 
sentative of a number obtained by computing Sa • 
ay {mod n) (Step A2) to tiie system 1 02 of tfie user 
B (step A3). Next, when the system 102 receives 
tiie code XA(Step B1), It generates a random num- 
ber t (Step B2). calculates P(a*/IDa) * (mod n) (Step 
B5). and keeps the resulting number as a encipher- 



ing key wk for enciphering a message into storage 
means (not shown). The identification code IOa 
represents herein a number obtained by consider- 
ing as a numeric value a code obtained by encod- 

5 mg tiie address, tiie name and so on of tiie user A. 
The encoding Is. for instance, performed on tiie 
basis of tiie American National Standard Code for 
Information Interchange. Then, the system 102 
transmits to tiie system 101 of tiie user A a second 

10 key distribution code Xb repiesentative of a num- 
ber obtained by calculating Sb (mod n ) (Steps 
B3 and B4). 

The system 101. on the ottier hand, receives 
tiie code Xb (Step A4), calculates (Xb^/IDb)''^ (mod 

IS n) (Step A5). and keeps the resulting number as 
tiie key wk for enciphering a message. The idere 
tification code IDb represents tiie numbers obtained 
by considering as a numeric value a code obtained 
by encoding tiie name, address, and so on of tiie 

20 user B. 

Subsequently, communication between the us- 
ers A and B will be conducted by transmitting 
messages enciphered witii the enciphering key wk 
via the channel 103. 

25 The Integer numbers Sa, Sb, e, c. a and n are 
determined as follows, n is assumed to be a prod- 
uct of two suffidentiy large prime numbers g and 
g. For Instance, 2 and g may be 2*8 or so. e and c 
are prime numbers which are equal to or 1^ ttian 

30 n, while a is a positive Integer number which is 
equal to or less tiian n. Furtiier, d is defined as an 
integer number which""satisfies e!d (mod (p-1)*(q- 
1)) = 1. S A and Sb are defined as numbers 
obtainable from IDa** (mod n) and IDs** (mod n). 

35 respectively. 

If Sa, Sb. e. c. a, and n are defined as above, 
IDa and ID a become equal to Sa* (mod n) and 
SB*(mod n). respectively. This can be proved from 
a paper entitied "A Metiiod for Obtaining Digital 

40 Signatures and Publlck-Key Cryptosystems" by 
R.L RIvest et al.. published In tiie Communication 
of tfie ACM, Vol. 21, No. 2. pp. 120 to 126. Since 
tiie key obtained by PCb"/IDb)' (mod n) on tfie side 
of tiie user A becomes equal to o"" (mod n) and 

45 tfie key obtained by P(a'/IDa)^ (mod n ) on tfie side 
of tfie user B becomes equal to a«^"(mod n). tiiey 
can prepare tiie sanne enciphering key. Even if a 
ttiinj party tries to assume tfie identity of tfie user 
A, he cannot prepare tiie key wk since he cannot 

50 find out z which meets ID a = Z* (mod n). 

Referring now to FIG. 2, a second embodiment 
of the invention comprises a first system 201, a 
second system 202 and an insecure communica- 
tion channel 203. It is assumed herein tfiat tfie 

55 systems 201 and 202 are used by users A and B. 
respectively. The user A has or knows a secret 
Integer number Sa and public Integer numbers e, 
c, a, and n, which are not necessarily secret while 
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the user B has or knows a secret integer number 
SBand the pubiic integer numbers. These integer 
numbers are designated and distributed by a reli- 
able person or organization in advance. The meth- 
od to designate the integer numbers will be de- 
scribed later. 

An operation of the embodiment will next be 
described on a case where the user A starts com- 
munication. The system 201 of the user A gen- 
erates a random number ^ (Step AA1 in RQ. 2) 
and detemnines a first key distribution code Xa 
representative of a number obtained by computing 
a"^ (mod n) as well as a first Identification code 
YAindlcative of a number obtained by computing 
Sa •a*^(mod n) (AA2). The system 201 then trans- 
mits a first paTr of Xa and Ya to the system 202 of 
the user B (Step AA3). Thereafter, the system 202 
receives the first pair (Xa . Ya) (Step BBI), cal- 
culates Ya" /Xa® (mod n. and examines whether or 
not the number obtained by the calculation is iden- 
tical to the number indicated by an identification 
code IDa obtained by tiie address, the name and 
so on of the user A in a similar manner to in the 
first embodiment (Step BB2). If they are not iden- 
tical to each other, tiie system suspends process- 
ing of tiie key distribution (Step BB7). On the otiier 
hand, if tiiey are identical to each otiier, the system 
202 generates a random number t (Step BB3) and 
determines a second key distribution code X b 
representative of a number obtained by calculating 
a^' (mod n) and a second identification code Yb 
obtained by calculating Sb ^a^^ (mod n) (Step 
BB4). The system 202 tiien transmits a second pair 
of Xb and Yb to the system 201 of the user A (Step 
BBS). The system 202 calculates Xa* (mod n) and 
keeps the number thus obtained as a enciphering 
key wk (Step BB6). 

The system 201, on the otiier hand, receives 
the second pair PCb, Yb) (Step AA4). calculates Y 
b"/Xb° (mod n), and examines whetiier or not the 
number thus obtained is identical to the number 
indicated by an Identification code IDs obtained by 
the address, the name and so on of tiie user B in a 
similar manner to in tiie first embodiment (Step 
AA5). If they are not identical to each other, the 
system suspends tiie key distribution processing 
(Step AA7). If tiiey are identical to each otiier. tiie 
system 201 calculates Xb" mod n), and stores the 
number thus obtained as a enciphering key wk 
(Step AA6). Aftiiough the codes IDa and JD b are 
widely known, tiiey may be informed by tiie user A 
to the user B. 

The Integer numbers Sa. Sb. e, c. a and n are 
determined in the same manner as in the'^first 
embodiment As a result, ID a and IDb becomes 
equal to YaW (mod n) (= S^ •a««/a«« (mod n)) 
and YbW (mod n) ("= S| •a««/o«'^ (mod nl). 
respectively. If we presuppose that tiie aboveniien- 



tioned reliable person or organization who prepared 
Sa and Sb do not act illegally, since Sa is pos- 
sessed only by the user A while Sb is possessed 
only by the user B. the first pair (x a. yjd whteh 
5 satisfies yA* /xa*" (mod n) = IDa can be prepared 
only by tiie user A white tiie second pair (xb , ys) 
which satisfies ys^^e*^ (mod n) = IDs can be pre- 
pared only by the user B. It Is impossible to find 
out a number x which satisfies x* (mod n) = b on 

10 the basis of f. band ji since finding out X is 
equivalent to bre^ng he RSA public key cryp- 
togram system disclosed In the above-mentioned 
the Communication of the ACM. It is described in 
the above-referenced IEEE Transactions on Infer- 

75 mation Theory that tiie key wk cannot be cal- 
culated from the codes xa or xb and a The key 
distribution may be implemented similarly by mak- 
ing tiie integer number C variable and sending It 
from a user to another. 

20 An example of the systems 101. 102, 201 and 
202 to be used in tiie first and second embodi- 
ments will next be described refemng to FIG. 3. 

Referring now to RG. 3, a system comprises a 
terminal unit (TMU) 301 such as a personal com- 

25 puter equipped witii communication processing 
functions, a read only memory unit (ROM) 302, a 
random access memory unit (RAM) 303, a random 
number generator (RNG) 304, a signal processor 
(SP) 306. and a common bus 305 which intercon- 

30 nects the TMU 301, tiie ROM 302, tiie RAM 303. 
tiie RNG 304 and the SP 306. 

The RNG 304 may be a key source 25 dis- 
closed in U.S. Patent No. 4,200.700. The SP 306 
may be a processor available from CYUNK Cor- 
as poration under tiie tirade name CY 1024 KEY MAN- 
AGEMENT PROCESSOR. 

The RNG 304 generates random numbers r or 
t by a command given from the SP 306. The ROM 
407 stores the public integer numbers e , c, o, n 

40 and the secret integer number Sa (\f tiie^ROM 407 
is used in the system 101 or 201) or the secret 
integer number Sb Of the ROM 407 is used in tiie 
system 102 or 202). The numbers Sa and Sb may 
be stored in tiie RAM 303 from tiie TMU 301 

45 everytime users communicates. According to a 
program stored in the ROM 407, the SP 306 ex- 
ecutes the above-mentioned steps A2. A5. AA2, 
AA5, AA6 and AA7 (if ttie SP 306 Is used In the 
system 101 or 201), or tiie steps B3, B5. BB2, 

50 BB4, BB6 and BB7 (ff tiie SP 306 is used in the 
system 102 or 202). The RAM 303 Is used to 
temporarily store calculation results in tiiese steps. 

Each of tiie systems 101. 102. 201 and 202 
may be a data processing unit such as a general 

55 purpose computer and an IC (integrated circuit) 
card. 
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As described in detail hereinabove, this inven- 
tion enables users to effectively implement key 
distribution simply with a secret piece of informa- 
tion and several public pieces of information. 

While this Invention has thus been described in 
conjunction with the preferred emtxxiiments there- 
of, it will now readily be possible for those skilled In 
the art to put this invention into practice in various 
other manners. 



Claims 

1. A key distribution metiKtd comprising ttie 
following steps: 

a) generating a first random number in a first 
system; 

b) generating first key distribution infomna- 
tion in said first system by applying a predeter- 
mined first transformation to said first random num- 
ber on the basis of first secret Infbmiation known 
only by said first system; 

c) transmitting said first key distribution in- 
formation to a second system via a communication 
channel; 

d) receiving said first key distribution in- 
formation in said second system; 

e) generating a second random number in 
said second system; 

f) generating second key distribution infor- 
mation by applying said predetermined first trans- 
formation to said second random number on tiie 
basis of second secret information known only by 
said second system; 

g) transmitting said second key distribution 
information to said first system via said channel; 

h) receiving said second key distribution in- 
formation in said first system; and 

i) generating an enciphering key In said first 
system by applying a predetermined second trans- 
formation to said second key distribution Infomna- 
tion on the basis of said first random numt)er and 
identification information of said second system 
which is not secret 

2. A key distribution method as claimed in 
Claim 1. in which said first system includes first 
data processing means for executing said steps a), 
b) and i). and first communication processing 
means for executing said steps c) and h). 

3. A key distribution metfiod as claimed in 
Claim 1 or 2, in which said second system includes 
second data processing means for executing said 
steps e) and f), and second communication pro- 
cessing means for executing said steps d) and g). 

4. A key distribution method comprising the 
following steps: 

a) generating a first random number in a first 
system; 



b) generating first key distribution informa- 
tion in said first system by applying a predeter- 
mined first transformation to said first random num- 
ber on the basis of public Information and generat- 

5 ing first identification information by applying a 
predetermined second transformation to said first 
random number on tiie basis of first secret Informa- 
tion known only by said first system; 

c) transmitting said first key distribution in- 
10 fonnation and said first Identification Information to 

a second system via a communication channel; 

d) receiving said first key distribution in- 
formation and said first identification information in 
said second system; 

75 e) examining whether or not the result ok>- 

tained by applying a predetermined third trans- 
formation to said first key distribution information 
on the basis of said first identification information 
satisfies a predetermined first condition and. if it 

20 does not satisfy, suspending key distribution pro- 
cessing; 

f) generating a second random number If 
said first condition Is satisfied at said step e); 

g) generating second key distribution infor- 
25 mation by applying said predetermined first trans- 
formation to said second random number on the 
basis of said public information, and generating 
second identification information by applying said 
predetennnined second transformation to said see- 
so ond random number on the basis of second secret 

information known only by said second system; 

h) transmitting said second key distribution 
information and said second identification informa- 
tion to said first system via said communication 

35 channel; and 

i) examining in said first system whether or 
not the result obtained by applying a predeter- 
mined third transformation to said second key dis- 
tribution information on tiie basis of said second 

40 identification infomnation satisfies a predetennined 
second condition and, if the result does not satisfy 
said second condition, suspending said key dis- 
tribution processing or, if it satisfies said second 
condition, generating said enciphering key by ap- 

45 plying a predetermined fourth transformation to 
said first random number on the basis of said 
second key distribution information. 

5. A key distribution mettiod as claimed In 
Claim 4, in which said first system includes first 

50 data processing means for executing said steps a), 
b) and I), and first communication processing 
means fbr executing said step c). 

6. A key distribution method as claimed in 
Claim 4 or 5, in which said second system includes 

55 second data processing means for executing said 
steps e), 0 and g). and second communication 
processing means fbr executing said steps d) and 
h). 
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